SYM_CONF_0048 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Permissive Cross-domain Policy with Untrusted Domains
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-942: Permissive Cross-domain Policy with Untrusted Domains |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
The Function App is configured to allow CORS requests from any origin ('*'), which means any website can interact with your app's APIs. This overly permissive setting exposes your application to unauthorized cross-origin access.
Impact
Attackers could exploit this by making malicious requests from untrusted websites, potentially stealing sensitive data or abusing your APIs. This increases the risk of data leakage, account compromise, and other attacks via unauthorized cross-origin interactions.